TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

AI Analysis

Stored XSS vulnerability in the media plugin via crafted data-mce-* attributes

Basic Information

ID CVE-2026-47761

Source GitHub_M

Published May 28, 2026 at 15:20

Modified May 28, 2026 at 15:26

Affected Product

Vendor tinymce

Product tinymce

Version < 5.11.1

Affected Versions tinymce tinymce < 5.11.1
tinymce tinymce >= 6.0.0, <= 6.8.6
tinymce tinymce >= 7.0.0, < 7.9.3
tinymce tinymce >= 8.0.0, < 8.5.1

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor TinyMCE

Product TinyMCE

Version < 5.11.1, < 7.9.3, < 8.5.1

References

{
    "lastseen": "",
    "description": "TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.",
    "published": "2026-05-28T15:20:57.814Z",
    "modified": "2026-05-28T15:26:49.455Z",
    "type": "cve",
    "title": "TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",
    "source": "GitHub_M",
    "references": "https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w\nhttps://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview\nhttps://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview",
    "id": "CVE-2026-47761",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "tinymce tinymce < 5.11.1\ntinymce tinymce >= 6.0.0, <= 6.8.6\ntinymce tinymce >= 7.0.0, < 7.9.3\ntinymce tinymce >= 8.0.0, < 8.5.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tinymce",
    "version": "< 5.11.1",
    "vendor": "tinymce",
    "ai_description": "Stored XSS vulnerability in the media plugin via crafted data-mce-* attributes",
    "ai_severity": "High",
    "ai_vendor": "TinyMCE",
    "ai_product": "TinyMCE",
    "ai_version": "< 5.11.1, < 7.9.3, < 8.5.1",
    "ai_score": 8.7
}

TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection_CVE-2026-47761